Outlook Bug Allowed Hackers to Use .RTF Files To Steal Windows Passwords

A vulnerability in Microsoft Outlook allowed hackers to steal a user’s Windows password just by having the target preview an email with a Rich Text Format (RTF) attachment that contained a remotely hosted OLE object.

The bug was patched by Microsoft as part of its April Patch Tuesday fixes, over a year after it was first identified.

“By convincing a user to preview an RTF email message with Microsoft Outlook, a remote, unauthenticated attacker may be able to obtain the victim’s IP address, domain name, user name, host name, and password hash,” according to the CERT description of the vulnerability, found by Will Dormann, a researcher with the CERT Coordination Center.

Next, Dormann was able to crack password hashes offline.

The vulnerability () is tied to how Windows Object Linking and Embedding (OLE) Automation works in the context of .RTF files. OLE is a Windows protocol that enables applications to share data. For example, OLE allows an author of a document to embed content, such as images and sounds, from one program into Microsoft Office documents as objects.

Dormann’s technique also used the Windows’ Server Message Block (SMB) protocol. SMB allows a file on a remote server to be accessed in a similar way to how a file on a local drive can be accessed, he wrote in a post outlining his research.

Because Outlook includes the ability to send rich text (RTF) email messages, Dormann was able to insert an (RTF) object into the email message composed in Outloook. The object was hosted on a remote server.

“RTF documents (including email messages) can include OLE objects. Due to SMB, OLE objects can live on remote servers,” Dormann wrote. “With a rich text email (RTF), the OLE object is loaded with no user interaction” when the email recipient previews the message in Outlook.

Microsoft has long tried to prevent images from automatically loading in Outlook due to the privacy risk of web bugs. Web bugs are sometimes called tracking beacons and are used by email senders to collect recipient user metadata, such as the system’s IP address and the time a missive is viewed.

Microsoft does not permit Word and HTML formatted Outlook messages to automatically display OLE or other content unless the user permits it. The loophole Dormann found is with RTF documents and metadata transmitted via the SMB channel.

Using the Wireshark, the free and open-source packet analyzer, the researcher was able to identify the victim’s IP address, domain name, username and Microsoft LAN Manager (NTLMv2) password hash.

“A remote OLE object in a rich text email messages functions like a web bug on steroids,” Dormann wrote.

The vulnerability exists because Outlook automatically renders OLE content and initiates an automatic authentication with the attacker’s controlled remote server over SMB protocol using a single sign-on. That exposes the Windows password hash of the person logged into the PC.

Microsoft was notified of the vulnerability in November 2016 by Dormann, over a year ago.

Microsoft’s patch () prevents Outlook from automatically initiating SMB connections when an RTF email is previewed. But researchers at CERT suggest the fix could be better.

“Note that other techniques requiring additional user interaction will still function after this patch is installed. For example, if an email contains a UNC link, like \\attacker\foo, Outlook will automatically make this link clickable. If a user clicks such a link, the impact will be the same as with this vulnerability,” the CERT advisory warns.

Suggested mitigation includes blocking Windows NT LAN Manager from single sign-on authentication and enforcing a policy of requiring users to adopt complex passwords resistant to cracking.